The Windows Incident Response Blog is dedicated to the myriad information surrounding and inherent to the topics of IR and digital analysis of Windows systems. This blog provides information in support of my books; "Windows Forensic Analysis" (1st thru 4th editions), "Windows Registry Forensics",
as well as the book I co-authored with Cory Altheide, "Digital Forensics with Open Source Tools".

Monday, September 22, 2008

Updates regarding Analysis

There's always something new on the analysis front, isn't there? It seems that I'll go away on a gig for a week or simply not pay attention to what's happening in the community, and BAM! It gets kicked up a notch!

First off, Moyix posted an excellent explanation of how the Windows message queue can be used as a forensic resource during analysis of a memory dump. Reading through the post, it's clear that while this analysis technique might not always work and provide relevant information, we all know that there are enough "buggy" apps out there that it's worth using the Volatility plugin that Moyix wrote to pull this data and have a look. The Windows message queue can hold messages that haven't been processed by the system, giving the examiner a clue as to the activity on the system at one point. The messages are associated with threads, which can be associated with a process, tying that information to an executable image file and a user.

Also, at the end of the post, Moyix mentions the possibility of getting a screen capture from a memory dump!

Excellent work, Moyix...keep it up! Also, reader...keep an eye on Moyix's blog for new plugins to add to Volatility, and expand your capabilities.

From Moyix's blog, I linked on over to the SysInternals Forums to read about a proof-of-concept tool called CrsWalker, from Diablo. This is a very interesting read...even though further down the thread, it's clear that the method of detection used by the tool is/can be circumvented, it's very interesting to see the thought process that Diablo used to develop his code. I don't think it would be a bad idea at all to get a copy of this and run it along with other tools, such as GMER or AV scanning apps.